OverFlow_FirewallRules

advertisement
Overflow Mechanism
The purpose of this message is to announce the immediate availability of an overflow mechanism designed to mitigate customer impact in the
event the existing FocalpointNet platform reaches session capacity. Per our April 11 advisory, this is a precautionary action. Based on current
loads, we do not expect any large scale breaches in the near future. However the potential exists for isolated instances where the system may
briefly refuse new logins. By the end of May, a new larger capacity platform will be ready for use and eliminate the need for this mechanism
The overflow option should be engaged for customers who receive "maximum sessions reached" error during log in attempts. Please use the
overflow for this purpose only. While there is ample capacity to cover the aforementioned condition, the infrastructure is not yet in a position to
handle the full population of Focalpoint Net users.
To access the overflow system, the customer will be required to change their Focalpoint Net DNS to one of those listed later in the message. The
new DNS are segregated by function such as PPTP, IPSEC, NAT-T and GIDS. As an example, an IPSEC customer should be directed to
FPNETIPSEC.GALILEO.COM, while a NAT-T customer goes to FPNETNATT.GALILEO.COM, etc. For those customers behind a firewall, they
must be configured to pass traffic on the 198.151.32.0/24 address range. The attached firewall advisory contains the port details. The same
firewall rules are required when the new Focalpoint Net platform comes on-line. Therefore, consider propagating the information to your
FocalpointNet firewall customers in advance.
If a customer moves to the overflow system, they can remain there and do not need to change DNS again. The overflow hardware and DNS are
already integrated in the new platform. The preference is to use the DNS addressing. The numeric is provided only as a failsafe where DNS
resolution is unavailable or otherwise inoperable. IP addresses are subject to change. Those who use the numeric address can be affected if
changes do occur.
IPSEC Users = FPNETIPSEC.GALILEO.COM (IP = 198.151.32.105)
PPTP Users = FPNETPPTP.GALILEO.COM (IP = 198.151.32.103)
NAT-T Users = FPNETNATT.GALILEO.COM (IP = 198.151.32.110)
GIDS Users = GIDSVPN.GALILEO.COM (IP = 198.151.32.111)
FocalpointNet VPN Firewall Rules
Purpose: Impending changes to the current FocalpointNet infrastructure requires that customers using this product (with Firewalls) add additional
rule-sets to include a new IP range.
Required Port and Protocol Information:
UDP500 for isakmp
Protocol 50 (IPSec ESP)
UDP4500 for NAT-T
tcp 1723 PPTP
Protocol 47 GRE
Customers should have something similar to this configuration already..
Generic Rules:
Source
Destination
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
12.17.202.0/23
Agency LAN IP or 3rd party Router Public IP
Protocol
udp (17)
500
ipsec esp (50) N/A
udp (17)
4500
TCP (47)
1723
udp (17)
500
ipsec esp (50) N/A
udp (17)
4500
TCP (47)
1723
Port
New information for customers.
Customers with Firewalls should add similar information to their firewalls to allow new subnet range for FocalpointNet VPN client
connectivity.
Source
Agency LAN IP or 3rd party Router Public IP
Agency LAN IP or 3rd party Router Public IP
Agency LAN IP or 3rd party Router Public IP
Agency LAN IP or 3rd party Router Public IP
198.151.32.0/24
198.151.32.0/24
198.151.32.0/24
198.151.32.0/24
Destination
198.151.32.0/24
198.151.32.0/24
198.151.32.0/24
198.151.32.0/24
Agency LAN IP or 3rd party Router Public IP
Agency LAN IP or 3rd party Router Public IP
Agency LAN IP or 3rd party Router Public IP
Agency LAN IP or 3rd party Router Public IP
Protocol
udp (17)
ipsec esp (50) N/A
udp (17)
TCP (47)
udp (17)
ipsec esp (50) N/A
udp (17)
TCP (47)
Port
500
4500
1723
500
4500
1723
Download